Security in a public library

[taltamir]

My public library uses an unsecure WiFi connection. I was going to point out that this is a sucurity problem when using passwords over the internet and suggest they use an encryption, while making the key available... it then occurred to me, if the keys are made available to all, is it even more secure?

Anyone knows?

 

[Emulex]

it is more secure with ap isolation and several keys that get changed. you can have as many ssid/keys as the router supports (dd-wrt supports ALOT). its security through obscurity. a thief would rather go find an open AP and do it the easy way than hack a protected network wouldn't you?

 

[taltamir]

But the theif does not need to hack the network (which, in fact he cannot do with AES WPA2 unless it uses a very weak password)

My point is, I can probably convince them to run a WPA2-PSK setup with the password being freely given to anyone who asks (say, password is "publiclibrary"); I seriously doubt they will go with RADIUS and unique username and passwords just on my suggesting so.

So my question is... if a theif has your WPA2-PSK password, is he able to analyze your packets and steal password information the same way he could from an unsecure network?

I would guess that he could do it as easily for a non protected network... unless it only uses the key for the handshake which involves creating a unique secure key.... unless he sniffed the handshake packets and has information on that as well...

 

[drebo]

If you have the PSK, it doesn't matter how strong the encryption is, it can be decrypted.

General rule of thumb is not to go to sensitive site (banks, etc) while connected to a public system. You never know what kind of snooping hardware they have there. They could be snooping your stuff.

 

[taltamir]

Its as I suspected and feared then... this also means that having it unsecured has the advantage of not giving people a false sense of security.

Yea, I would never go to my bank over wireless ... I'd like to see someone "hack" into my cat6 cable .

Thanks for the info.

 

[Nothinman]

Its as I suspected and feared then... this also means that having it unsecured has the advantage of not giving people a false sense of security.

Yea, I would never go to my bank over wireless ... I'd like to see someone "hack" into my cat6 cable .

Thanks for the info.

The exact same encryption key isn't used for every client so it's not like they can just joint the network and start sniffing other people's non-broadcast data in plain-text.

They don't have to hack your cat6 cable, they can sniff your traffic via any of a dozen networks your traffic must travel through in order to get to your bank's website. It's more work, but then so is cracking WPA compared to no encryption. If you're accessing your bank via the Internet you've already accepted the risk that someone can intercept the SSL traffic, period.

Hell, I'd guess that it's much more likely that you're bank will get broken into via their website or your CC# stolen via malware than someone getting it by sniffing traffic.

 

[taltamir]

The exact same encryption key isn't used for every client so it's not like they can just joint the network and start sniffing other people's non-broadcast data in plain-text.

but you have to someone get such a key. if they know your password could they not intercept the handshake where such a key is transmitted?

They don't have to hack your cat6 cable, they can sniff your traffic via any of a dozen networks your traffic must travel through in order to get to your bank's website. It's more work, but then so is cracking WPA compared to no encryption. If you're accessing your bank via the Internet you've already accepted the risk that someone can intercept the SSL traffic, period.

Obviously, but that is no reason to eschew all security. Wireless is inherently less secure, the security vulnerabilities you describe are shared by both wired and wireless.

Hell, I'd guess that it's much more likely that you're bank will get broken into via their website or your CC# stolen via malware than someone getting it by sniffing traffic.

Are you saying its more likely for someone to hack the bank itself then it is to steal your login being transmitted over unencrypted connection in a public library?
It doesn't sound more likely to me, but I wouldn't know the exact number of occurring of each... how do you know it?

 

[drebo]

Are you saying its more likely for someone to hack the bank itself then it is to steal your login being transmitted over unencrypted connection in a public library?
It doesn't sound more likely to me, but I wouldn't know the exact number of occurring of each... how do you know it?

If your bank is using SSL encryption, yes. However, someone could be using a proxy-arp method to run a man-in-the-middle operation and capture that encrypted data. You'd never know unless you knew what to look for.

Best rule of thumb is to not visit sensative websites on a network over which you do not have control.

 

[C1]

Are you saying its more likely for someone to hack the bank itself then it is to steal your login being transmitted over unencrypted connection in a public library?
It doesn't sound more likely to me, but I wouldn't know the exact number of occurring of each... how do you know it?

Whenever doing financial related transaction over the networks, I will use the CAT5. However, when using the public library open WIFI, I set my notebook's transmission power to minimum which reduces the range of reception so that it is not readily or easily detectable beyond the inside of the library building.

 

[Nothinman]

but you have to someone get such a key. if they know your password could they not intercept the handshake where such a key is transmitted?

The first sentence doesn't make much sense. But if they know the PSK and manage to capture the whole handshake, they may be able to decrypt your session. But if you're using HTTPS to access your bank then they have to break the SSL stream as well.

Obviously, but that is no reason to eschew all security. Wireless is inherently less secure, the security vulnerabilities you describe are shared by both wired and wireless.

Yes and so is malware and keyloggers which are far more common vectors of attack on Windows. I'm not saying to disregard security, but you have to realize that using a wired connection is only marginally more secure. If someone is targeting you directly they're probably going to do more than just follow you around with wireshark running.

Are you saying its more likely for someone to hack the bank itself then it is to steal your login being transmitted over unencrypted connection in a public library?
It doesn't sound more likely to me, but I wouldn't know the exact number of occurring of each... how do you know it?

If you're using SSL, then yes I would say so. Maybe not the bank itself but a partner, like recently happened with Epsilon.

 

[taltamir]

Yes and so is malware and keyloggers which are far more common vectors of attack on Windows.

Yes, they are.

I'm not saying to disregard security, but you have to realize that using a wired connection is only marginally more secure. If someone is targeting you directly they're probably going to do more than just follow you around with wireshark running.

I am aware its only marginally more secure. But thank you for telling me anyways, you had no way of knowing that I know.